On 12/10/16 14:46, Konstantinos Tsimaris wrote: > I have seen various posts mentioning that after 1 of January 2017, browsers > will stop support of SHA1 signed CAs. I am looking into a way to identify > which WEB sites will not work until new certificate is applied and > demonstrate that after change it will work. I know that can be done via > checking the issued CA. Is there a way using a Firefox to replicate the > behavior/block prior to that date? > > Second, I would like to ask if a user has option to permit if required, for > example using "security.pki.sha1_enforcement_level"
That preference is exactly how you test the behaviour prior to the date the block is implemented. Set the value to 1 (entirely forbidden) or 3 (forbidden for public roots). Users will be able to permit SHA-1 individually after the block is enacted by default, using that pref. Also, the current plan is that the error will be overridable. However, we would counsel all sites to move away from SHA-1 as the user experience will be as bad as the security. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
